Know your enemy: making a business case for identity and access management
If 2015 is anything to benchmark against when it comes to data breaches, then 2016 should be the year that businesses button down against the escalating issue of ID and access management says Paul Trulove.
Paul Trulove, vice president of product management, SailPoint
CFOs across organisations have been wringing their hands over the cost of breaches, which has never been higher. Increasingly, these breaches are being tied back to identity-related issues, including the Ashley Madison breach, which former CEO and founder Noel Biderman suspects was at the hands of an individual who “touched” the company's IT systems.
Organisations need to know how to mitigate this risk and quickly respond to and contain the damage breaches like these can cause. Executives, board members, consumers, employees and partners are all concerned about breaches. But only companies that are proactive in building internal safeguards to minimise the impact of a breach are in position to defend against their cost and damage. Having a strategic identity and access management programme in place will safeguard against identity-related breaches and better help manage governance processes too.
For CFOs looking for justification, having a strong IAM business case will highlight the benefits, including lower costs and streamlined processes to improve profitability and efficiency, while protecting company and customer information. It will also provide a tool that continually measures the return on your investment, which will help justify future spending. Here is a guide for creating an IAM business case:
1. Assess your internal needs: Find out the most pressing issues and opportunities for management: security, compliance, escalating costs or inefficient procedures. Make these issues the centre of your business case
2. Create a baseline of costs and resources: Analyse your current IAM process in detail. Quantify all of the resources, both financial and manual labour, currently being used to support IAM processes
3. Clearly articulate the programme goals: Define the business goals your programme will achieve, as well as the expected benefits to the organisation. Explain which metrics will be collected, the type of improvement the business will experience – like governance, compliance and data security, and the value of that improvement compared to the cost of the programme
4. Build a financial model: Estimate how much the programme will cost, including technology, services, personnel and other related costs beyond software licences. Then project how the programme will save your organisation time and money. Not all benefits will be measured in sterling, so find a way to add monetary value to improvements like faster deprovisioning or fewer helpdesk tickets
5. Adjust the approach: If management doesn't respond to your business case, suggest breaking the programme into phases or look for smaller projects that offer quick wins. Once management sees the benefits from an IAM project, they're more likely to agree to a larger programme
It is clear that in recent times companies have made a mental shift from relying on the prevention of breaches at the perimeter of the network to ensuring they have damage control and resiliency when one does occur. It no longer seems to be a career-limiting move for a security professional to make a statement such as, “I know we are likely to be breached, I just don't know how or when.” What is career-limiting, however, is being exposed as unprepared and ill-equipped to minimise the damage associated with a breach. This new attitude is reshaping how organisations approach IT security.
The reality is that it's next to impossible to predict and stop every attack. In today's digital world, users need access to a myriad of critical systems, applications and data in order to do their jobs. These assets not only exist behind the corporate firewall, but the growing trend of SaaS application adoption often means that they exist outside of the corporate network, as well. Add the fact that the way users are accessing these assets is becoming ever more diversified through the adoption of mobile computing, and you have a very complex environment. The traditional network perimeter is rapidly vanishing, so relying on a well-protected wall around the corporate network is no longer a sufficient form of security.
One of the most encouraging signs of the change in attitude is that the vast majority of organisations are recognising the need for visibility and control over who has access to what for all application types, both in the cloud and on-premise, independent of the device they are using for that access. This is precisely what identity and access management does.
Putting an effective identity management solution at the centre of your security strategy allows an organisation to quickly react to a breach, better understand who and what is at risk, and potentially shut down an attack from spreading. What's at stake is after all the severity of the data loss, not simply the fact that they were breached, that will impact a company's brand and damage its bottom-line.
Contributed by Paul Trulove, vice president of product management, SailPoint